token-server: Delegation config import, validation and evaluation.

tokenserver/appengine/frontend/main.go

 // Copyright 2016 The LUCI Authors. All rights reserved.
 // Use of this source code is governed under the Apache License, Version 2.0
 // that can be found in the LICENSE file.
 
 // Package frontend implements HTTP server that handles requests to default
 // module.
 //
 // It stitches together all the code.
 package frontend
 
@@ skipping 111 matching lines @@
         c.Writer.WriteHeader(http.StatusOK)
 }
 
 // readConfigCron is handler for /internal/cron/read-config GAE cron task.
 func readConfigCron(c *router.Context) {
         // Don't override manually imported configs with 'nil' on devserver.
         if info.IsDevAppServer(c.Context) {
                 c.Writer.WriteHeader(http.StatusOK)
                 return
         }
-        if _, err := adminServerWithoutAuth.ImportCAConfigs(c.Context, nil); err != nil {
-                panic(err) // let panic catcher deal with it
-        }
-        c.Writer.WriteHeader(http.StatusOK)
+
+        wg := sync.WaitGroup{}
+        var errs [2]error
+
+        wg.Add(1)
+        go func() {
+                defer wg.Done()
+                _, errs[0] = adminServerWithoutAuth.ImportCAConfigs(c.Context, nil)
+                if errs[0] != nil {
+                        logging.Errorf(c.Context, "ImportCAConfigs failed - %s", errs[0])
+                }
+        }()
+
+        wg.Add(1)
+        go func() {
+                defer wg.Done()
+                _, errs[1] = adminServerWithoutAuth.ImportDelegationConfigs(c.Context, nil)
+                if errs[1] != nil {
+                        logging.Errorf(c.Context, "ImportDelegationConfigs failed - %s", errs[1])
+                }
+        }()
+
+        wg.Wait()
+
+        // Retry cron job only on transient errors. On fatal errors let it rerun one
+        // minute later, as usual, to avoid spamming logs with errors.
+        c.Writer.WriteHeader(statusFromErrs(errs[:]))
 }
 
 // fetchCRLCron is handler for /internal/cron/fetch-crl GAE cron task.
 func fetchCRLCron(c *router.Context) {
         list, err := caServerWithoutAuth.ListCAs(c.Context, nil)
         if err != nil {
                 panic(err) // let panic catcher deal with it
         }
 
         // Fetch CRL of each active CA in parallel. In practice there are very few
         // CAs there (~= 1), so the risk of OOM is small.
         wg := sync.WaitGroup{}
         errs := make([]error, len(list.Cn))
         for i, cn := range list.Cn {
                 wg.Add(1)
                 go func(i int, cn string) {
                         defer wg.Done()
                         _, err := caServerWithoutAuth.FetchCRL(c.Context, &admin.FetchCRLRequest{Cn: cn})
                         if err != nil {
                                 logging.Errorf(c.Context, "FetchCRL(%q) failed - %s", cn, err)
                                 errs[i] = err
                         }
                 }(i, cn)
         }
         wg.Wait()
 
         // Retry cron job only on transient errors. On fatal errors let it rerun one
         // minute later, as usual, to avoid spamming logs with errors.
-        status := http.StatusOK
-        for _, err = range errs {
+        c.Writer.WriteHeader(statusFromErrs(errs))
+}
+
+// statusFromErrs returns 500 if any of gRPC errors is codes.Internal.
+func statusFromErrs(errs []error) int {
+        for _, err := range errs {
                 if grpc.Code(err) == codes.Internal {
-                        status = http.StatusInternalServerError
-                        break
+                        return http.StatusInternalServerError
                 }
         }
-        c.Writer.WriteHeader(status)
+        return http.StatusOK
 }